Virgin Media SuperHub: 7 second security flaw...

OK folks, no waffling, no hyperbole... I'll get straight to the point.

If you run a Virgin Media SuperHub or Superhub 2, your network is not secure.

The Boot Sequence

When you switch on your device, it takes roughly a minute to fully boot, bring up the network cards/WiFi and start the DHCP server; needed to assign an IP to each device wanting to connect. During that time, the device brings up the WiFi card without any form of encryption.

Let me explain with a timeline view... (click image to enlarge)

As you can see, there's a 7 second window of opportunity for anyone within WiFi range to connect to your network. How many other wireless networks can you see from your home? Chances are, they can see yours too.

Big deal, what can they do in 7 seconds?

At first glance, you'd be forgiven for thinking an attacker couldn't do much damage with such a short window. You'd be wrong.

The Router's UI

Virgin's SuperHub and SuperHub 2 have several constants which an attacker can use to break into your network.

The device listens on two IP addresses by default. 192.168.100.1 and 192.168.0.1.

The default password is "changeme" - and very few people change it, or even know how to change it. This should be a vital part of the setup process - the device should not function until this has been changed, in my opinion.

With those two pieces of information, an attacker has everything they need to gain access to your network. Once logged in, they can access your router's UI (user interface).

Let's look at the WiFi settings page...

Ah wonderful... there's our WiFi encryption key in plain view. An attacker can simply note this down (or store it if the attack is automated) and wait.

Your 7 seconds are up, we're packing WPA2 encryption now!

After the 7 second window, the router takes the WiFi card offline, enables encryption and brings the card back up. That'd be great, if we hadn't already broadcast the encryption key to everyone nearby. That's akin to reading your password aloud, while you change it.

I keep my router on 24/7 - so I'm safe.

Actually, you're not. Using just a few lines of code, it's possible to force the router to reboot remotely. I can (and have with prior permission) sat outside a property, forced a router to reboot and simply waited for the golden 7 second window to arrive.

He'd changed his WiFi password too. Unfortunately, he'd used the same password for his email... so I had access to that too.

From where I am now, there are 6 Virgin Media WiFi routers within range. 1 is far too weak for this exploit to work, leaving 5 vulnerable. I could launch an attack from here, but that's too easy. If only it could be automated...

WiFi Virus

Purely as a proof of concept, I created a self propagating version of this exploit. It searches for vulnerable access points/routers, forces a reboot, grabs the encryption key, connects to the hijacked network, forces any connected client machines to download the exploit and so the loop continues...

Sure it's tricky, time-consuming and far from 100% successful but it really does put home router security into perspective. Remember, this is spreading over WPA2 encrypted networks.

What happens if they access illegal content, pornographic material or abuse Virgin Media's network? The authorities go after the owner of the broadband connection!

Responsible Disclosure

You'd have to be asleep to miss such a glaringly-obvious flaw - but it seems nobody at Virgin Media or Netgear (who build these routers) spotted it... so I contacted Virgin's infamous technical helpdesk.

After going through the inevitable and mind-numbing script, I eventually manage to reach Virgin's Security Engineering Manager on January 27th 2014. Less than 24hrs later, his team had tested and replicated the issue internally.

Say what you will about the exploit, that's very impressive! Unfortunately though, firmware patches take time... so Virgin really are in Netgear's hands here.

After a couple of weeks, I checked in to see if there was an update. No such luck... with a fix estimated in months rather than weeks/days.

If they've confirmed it and are working to patch it, why publish now?

A lead time of 3-6 months really isn't great (it's disgusting actually, but moving on...), but that's not the reason for my decision to publish this information now. You can limit the impact and severity of this exploit simply by changing your router's default password.

An attacker will still be able to connect when there's no encryption, but crucially, they won't be able to grab the encryption key needed to gain access beyond that point.

How to protect yourself (do it now!)

Visit http://192.168.100.1 in your browser.

Login as usual. As you know, the default password is "changeme".

Click "Advanced Settings"

Scroll down to "Device Management" -> "User Interface Management"

Enter a new password and hit "Save".

Click "Home"

Click "Wireless Network Settings"

Enter a new "Passphrase or Security Key" for both the 2.4 & 5Ghz networks.

Click "Save Settings".

You'll need to enter this new key into each wireless device to restore your connection.

That's it.

A simple but effective solution and in the absence of a firmware upgrade, that's really all Virgin Media needed to tell you. Had they done so, you wouldn't be reading this. Instead, it's been radio silence (pun intended)... so now it's down to you.

If you think you may have been affected by this exploit or need assistance to reconfigure your router, drop me an email.